No guru here ;)
Image 1 and 2 seem ok - nothing really to see actually.
But rule 3 : WAN_DHCP as a gateway ? I haven't set 'nothing'.

Do you see the login page ? Login User defined ? They have the 'rights' to visite the captive portal ?

Added to that : after reading https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting : first issue : people mess up DNS.
They leave the perfect DNS Resolver to switch to the DNS forwarder with exotic settings.
Better : FreeRadius + MySQL. Or better is : make portal work with local user authorization, and build up from there.
Then there are those with roque AP points.
VLAN mess … (not your issue probably).
DHCP server on each OPTx is ok ? (pool, etc)
So, client receive an IP, Gateway and DNS (last 2 should be the IP of the OPTx network - so 192.168.y.1)
Client can resolve ;D